This page aggregates publicly disclosed CVE and security risk information related to mofinetwork, with CVSS, EPSS, publication dates, and vulnerability intelligence data to help assess potential risk and remediation priority.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2021-27715 | An issue was discovered in MoFi Network MOFI4500-4GXeLTE-V2 3.5.6-xnet-5052 allows attackers to bypass the authentication and execute arbitrary code via crafted HTTP request. | [email protected] | 9.8 | 0.06% | 2023-09-08 | 2024-11-21 |
| CVE-2020-15836 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function passes untrusted data to the operating system without proper sanitization. A crafted request can be sent to execute arbitrary commands as root. | [email protected] | 9.8 | 0.94% | 2021-02-01 | 2024-11-21 |
| CVE-2020-15835 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The authentication function contains undocumented code that provides the ability to authenticate as root without knowing the actual root password. An adversary with the private key can remotely authenticate to the management interface as root. | [email protected] | 9.8 | 0.36% | 2021-02-01 | 2024-11-21 |
| CVE-2020-15834 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The wireless network password is exposed in a QR encoded picture that an unauthenticated adversary can download via the web-management interface. | [email protected] | 7.5 | 0.28% | 2021-02-01 | 2024-11-21 |
| CVE-2020-15833 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The Dropbear SSH daemon has been modified to accept an alternate hard-coded path to a public key that allows root access. This key is stored in a /rom location that cannot be modified by the device owner. | [email protected] | 9.8 | 0.45% | 2021-02-01 | 2024-11-21 |
| CVE-2020-15832 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.1.5-std devices. The poof.cgi script contains undocumented code that provides the ability to remotely reboot the device. An adversary with the private key (but not the root password) can remotely reboot the device. | [email protected] | 7.5 | 0.37% | 2021-02-01 | 2024-11-21 |
| CVE-2020-13860 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password. | [email protected] | 7.5 | 0.32% | 2021-02-01 | 2024-11-21 |
| CVE-2020-13859 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature. | [email protected] | 9.8 | 0.34% | 2021-02-01 | 2024-11-21 |
| CVE-2020-13858 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They contain two undocumented administrator accounts. The sftp and mofidev accounts are defined in /etc/passwd and the password is not unique across installations. | [email protected] | 9.8 | 0.49% | 2021-02-01 | 2024-11-21 |
| CVE-2020-13857 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They can be rebooted by sending an unauthenticated poof.cgi HTTP GET request. | [email protected] | 7.5 | 0.37% | 2021-02-01 | 2024-11-21 |
| CVE-2020-13856 | An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. Authentication is not required to download the support file that contains sensitive information such as cleartext credentials and password hashes. | [email protected] | 7.5 | 0.29% | 2021-02-01 | 2024-11-21 |